Understanding ISO 26262

To maintain compliance, your team must put the right processes and tools in place to assess and mitigate risks.

Just as important, you need to manage those risks through every step of the product lifecycle – from conceptual development to decommissioning. For many developers of automotive electrical and electronic (E/E) systems, the ISO 26262 functional safety standard can seem complex and overwhelming.

What is the ISO 26262 Functional Safety Standard?

ISO 26262 – Road Vehicles – Functional Safety, published in 2011, provides a unifying safety standard for automotive E/E systems that power an increasing number of vehicle functions, from driver assistance and telematics to engine management and entertainment.

The standard defines functional safety as the “absence of unreasonable risk due to hazards caused by malfunctioning behavior to electrical/electronic systems.” It regulates system hardware and software through every step of the product lifecycle, including development, production, operation, service and decommissioning.

Compliance with ISO 26262 is critical for OEMs, automotive suppliers and developers of automotive E/E components. The 2011 edition applied only to E/E systems installed in series production passenger cars with a maximum gross weight of 3.5 metric tons. But the latest version, updated in 2018, has a much broader scope. It addresses the latest technology advances and applies to a wider range of road vehicles. While there is no monetary fine for non-compliance, it makes selling products more difficult within the automotive value chain.

In general, the ISO 26262 standard:

Acts as a reference you can use to tailor your functional safety activities to each phase of the product lifecycle.
Provides an automotive-specific risk-based framework – Automotive Safety Integrity Levels or ASILs – to help you determine component integrity. In turn, this rating system points you to applicable ISO 26262 requirements to help you avoid unreasonable risk.
Details requirements for each step in the compliance process: functional safety management, design, implementation, verification, validation and confirmation.
Defines out requirements for communications between suppliers and customers.
Image

The 2018 edition added specific sections for semiconductor production and motorcycles, as well as information about the following:

  • Objective-oriented confirmation measures
  • Management of safety anomalies
  • References to cybersecurity
  • Updated target values for hardware architecture metrics
  • Evaluation of hardware elements
  • Additional guidance on dependent failure analysis
  • Guidance on fault tolerance, special safety-related characteristics and software tools
  • Guidance for model-based development and software safety analysis
The 2018 standard exempts a few special system types, including mopeds, prototypes and systems designed for drivers with disabilities. It also excuses systems and components released for production prior to the publication date, and systems and components under development during the publication date.

Why is ISO 26262 Important?


Modern vehicles are increasingly controlled by electronic systems. What started as a mechanical machine has evolved into a vehicle run by sophisticated Electronic Control Units (ECUs) and software. If these systems malfunction or fail, they can potentially pose serious consequences, from financial loss, legal liability and regulatory action for OEMs and suppliers, to injury and loss of life for end users.

ISO 26262 addresses these changing dynamics. It responds to the need for an international, automotive-specific standard that focuses on safety-critical E/E components. It sets clear standards that enable manufacturers to proactively manage functional safety through the entire lifecycle of the automotive system, from the earliest stages of product development to the point when a vehicle is retired.

This holistic approach means software and hardware teams can better integrate their efforts and create a system of traceability between phases. By identifying and mitigating E/E failures up front, and carrying these functional safety measures between phases, ISO 26262 can have a positive impact on all stakeholders.


How does ISO 26262 Work?

Sometimes the best-in-class ECU comes with a price tag that's out-of-reach. And sometimes a 'good deal' on an ECU isn't what it seems.

Look for an ECU supplier who can help you understand the differences between prototype pricing and pricing for production--and make sure that the supplier can scale with you as your business changes.

Image
Identify safety risks associated with your E/E system components.
Image
Assess these safety risks by performing a Hazard Analysis & Risk Assessment (HARA) for each component.
Image
Create safety goals to prevent or reduce each hazard identified in the HARA.
Image
Assign ASIL ratings to each safety goal, setting up the requirements necessary to prevent or reduce risks to an acceptable level.
Image
Implement safety requirements to meet or exceed ASIL ratings.
Image
Integrate safety requirements into your workflow, using tools to test and validate results, and establish traceability.
Image
Connect with a certified third-party vendor to undergo an official audit to achieve ISO 26262 certification.

The 12 Parts of ISO 26262

The original 2011 edition of ISO 26262 featured 10 parts, but ISO updated the standard in 2018 to address emerging technologies and cover a broader scope that now includes trucks, buses, trailers, semi-trailers and motorcycles.

As a result, the 2018 standard now features 12 sections. Each part offers guidance that enables your team to evaluate risk and establish corrective measures to proactively manage functional safety. While the 2018 standard exempts components released for production prior to publication, as well as systems under development during publication, the 12 parts do address altering existing systems and integrating non-compliant systems by tailoring the safety lifecycle to meet the requirements.


Part 1 – Vocabulary

Part 1 provides a project glossary, defining terms related to functional safety requirements in E/E system development. Of particular interest are specific definitions for “fault,” “error” and “failure” as they apply to functional safety processes.

Part 2 – Management of Functional Safety

Part 2 describes the methodology to manage functional safety in automotive applications. It covers overall safety management, as well as definitions for hazardous events, safety goals, ASILs and safety requirements.

Part 3 – Concept Phase

Part 3 defines processes to assure functional safety during the early stages of development. It provides details on the functional safety concept, including information on hazard analysis and risk assessment.

Part 4 – Product Development at the System Level

Part 4 covers general topics for initiating system-level product development, specifications for technical safety, system architectural design, item integration, and testing and safety validation.

Part 5 – Product Development at the Hardware Level

Part 5 addresses specifications for hardware safety and design, evaluation of hardware architectural metrics, evaluation of safety goal violations due to random hardware failures, and hardware integration and verification.

Part 6 – Product Development at the Software Level

Part 6 provides information on software safety specifications, software architectural design, software unit design and implementation, software unit verification, software integration and verification, as well as embedded software testing.

Part 7 – Production, Operation, Service and Decommissioning

Part 7 features planning activities to address automotive system safety throughout the remaining phases of the product lifecycle – production, operation, service and decommissioning.

Part 8 – Supporting Processes

Part 8 addresses requirements for the supporting processes of functional safety, including corporate interfaces used by multiple parties during the project, safety management, configuration management, change management, documentation management, and qualification of new and existing software and hardware components.

Part 9 – Automotive Safety Integrity Level (ASIL)-Oriented and Safety-Oriented Analysis

Part 9 defines the assessment process for assigning ASIL ratings, as well as the different classifications for exposure, severity and controllability criteria.

Part 10 – Guidelines on ISO 26262

Part 10 provides an overview of the ISO 26262 standard, including additional explanations, and is meant to enhance understanding about concepts covered in the other sections.

Part 11 – Guidelines on Application of ISO 26262 to Semiconductors

Part 11 offers detailed information on how to develop ISO 26262-compliant semiconductors. It addresses device packaging considerations and evaluates reliability standards related to component package failure rates.

Part 12 – Adaptation of ISO 26262 for Motorcycles

Part 12 specifies functional safety requirements for motorcycle E/E systems. It includes tailored information on safety culture, confirmation measures, hazard analysis and risk assessment, vehicle integration and testing, and safety validation.

What is ASIL?


Central to ISO 26262 compliance, the Automotive Safety Integrity Level (ASIL) rating system sets the standard for assigning levels of risk to potential E/E system malfunctions or failures. Ultimately, the system ensures you end up with no safety-related single points of failure in the E/E system of a vehicle. Vehicles must meet or exceed ASIL thresholds prior to production to be considered road safe. To conduct the ASIL rating process, you begin with a Hazard Analysis and Risk Assessment (HARA). The assessment addresses a basic question: “If a failure arises, what will happen to the driver and associated road users?” The HARA identifies and classifies hazardous events caused by malfunctioning behaviors within an E/E system.

Using three main criteria, you assess each hazard based on the relative effect it will have on the overall E/E system:

  • Exposure – the probability the hazard will occur. Ratings include none, very low, low, medium and high.
  • Severity – potential injuries to the driver and/or passengers. Ratings include no injuries, light and moderate injuries, severe and life-threatening injuries (survival probable), and life-threatening (survival uncertain) and fatal injuries.
  • Controllability – the probability a typical driver can prevent injury from occurring. Ratings include controllable, simply controllable, normally controllable, and difficult to control or uncontrollable.

After you assess all potential hazards, you create safety goals to prevent or reduce each hazard. Each safety goal receives an ASIL rating, as defined by the ISO 26262 standard.

ASIL ratings include QM (quality managed), A, B, C and D. QM represents the lowest risk of hazard while D indicates the highest hazard level. As a result, an ASIL-D rating requires the most attention in terms of safety-critical processes and testing requirements. For help with the ratings process, you can refer to guidelines outlined in the SAE J2980 – Considerations for ISO 26262 ASIL Hazard Classification.

Not surprisingly, the cost and complexity of compliance can increase significantly with each ASIL level. While an ASIL A rating may have limited effects on your development process, an ASIL D rating can have a much more significant impact on timing and costs.

ASIL decomposition, a process where ASIL levels and requirements are broken down over redundant and sufficiently independent elements within the design, can help. The process typically follows a predefined pattern and must result in redundant safety requirements allocated to design elements of sufficient technical independence. Ultimately, it can help you meet safety requirements while reducing costs and minimizing efforts.


Image

How to Stay ISO 26262 Compliant

To achieve and maintain ISO 26262 compliance, your team needs to pull together the right mix of talent and tools to incorporate the standard into your product development and efficiently move your systems to market.

Automotive functional safety engineers (AFSE), who complete rigorous training in hardware and software safety practices, and execution of HARAs, make effective project leads.

These certified professionals can help your engineering teams repeatedly evaluate work to look for errors, redundancies and single points of failure that could cause malfunctions in the end-product vehicle.

Development and testing tools can also enhance your capabilities. They can help with requirements traceability, efficiency of code authorship, fault-tree analysis and requirements-based testing.

Partner with the Experts

To keep your project on track, consider partnering with New Eagle. Our engineering consulting services, as well as our full range of ISO-capable software and hardware options prepare you for ISO 26262 compliance – and help you stay there. Our AFS-certified engineering consultants can design a production control system to get your vehicle on the road safely and quickly. They can assess systems and develop functional safety concepts to help you meet ASIL ratings and ISO 26262 requirements.

Our Raptor-Dev embedded model-based development software increases the efficiency of your software development and can be used with MathworksTM toolboxes to provide traceability to safety requirements. Our Raptor-Test tool performs automated regression tests of both software and hardware to make sure your system meets requirements at the final stages of development.

We also offer several ISO 26262-capable hardware solutions that feature our easy-to-use Raptor software and built-in safety compliance. These ECUs allow you to streamline your development process, retain full design control and intellectual property rights, and build an efficient path to production.

Interested in our services? Contact our sales team today at 734-929-4557.

Looking for something specific?

We’re happy to help! Send us your email address and one of our engineers will reach out to you directly.